0

I have a login form in my project which accepts username and password to validate and go forward.

I am using SQL Server as the back end. Initially in my login page if I enter password in capitals or in lower case it validates my login page and proceed with the project. But now I want to add case sensitive password validation to my password textbox so that it matches the exact order of password chars from the database.

How can I add this validation to password field. Can it be added on the login form or in SQL Server?

slugster
  • 49,403
  • 14
  • 95
  • 145
Ankush Pruthi
  • 121
  • 2
  • 4
  • 14
  • how you validate your password field ? – Dhaval Patel Jul 16 '14 at 07:21
  • How are the passwords stored, did you calculate a hash? – martinstoeckli Jul 16 '14 at 07:21
  • the password field is validated with the data stored in the DB. no other validation is added on the password field. @Dhaval Patel – Ankush Pruthi Jul 16 '14 at 07:25
  • 5
    You shouldn't be storing your passwords as clear text in the database. But to do a case sensitive database comparison specify a [case sensitive collation](http://stackoverflow.com/q/3969059/109702). – slugster Jul 16 '14 at 07:26
  • the password is simply stored in nvarchar format in DB. i do not calculate a hash. @martinstoeckli – Ankush Pruthi Jul 16 '14 at 07:27
  • 1
    I guess this is a school project? If not and it is for a website, please tell me the address so i'll never register at your site until you implement some kind of hashing on the password :) – SynerCoder Jul 16 '14 at 07:42
  • Without hashing .. just compare input.ToLower() to storedPassword.ToLower() . With hashing , before hashing, just use ToLower or ToUpper then hash it and store it... – Zakos Jul 16 '14 at 07:55

3 Answers3

1

There is nothing particular to do, however you should definitely avoid:

  • storing password in clear
  • using a simple hash such as MD5 without some salt (i.e. some quantity of variability introduced while hashing)

One way to do that is to store the date of the last password change (such as with an integer on 64 bits) in the account together with the hash (something like SHA1 should be reasonable). When the user connects, the form is given the number (called a 'salt'), the form packs the salt with the typed password (in a predefined encoding such as UTF8), and produce a hash on that, and transmits that on the wire as base64 for example (I mean your password field could be just a text field containing that base64 encoded hash). If the communication to the server (database or application) is secured, the password can transit on the wire no problem. The server compares the two hashes and if they match it's OK.

The reason for the salt is to hugely slows down attack based on pre-built dictionaries of MD5 or SHA hashes being matched against your database of passwords (if it happens to be downloaded by hackers). It also helps if the connection can be read by a hacker, as the same pre-built dictionary attack could work on MD5 hashes passing on the wire.

armel
  • 2,497
  • 1
  • 24
  • 30
0

You can use regex

 ^(?=(.*\d){2})(?=.*[a-z])(?=.*[A-Z])(?=.*[^a-zA-Z\d]).{8,}$
        ---------  --------------------- --------------- -----
            |               |                    |          |->match 8 or more characters
            |               |                    |->match further only if theres anything except letter or digit
            |               |->match further only if there is an upper-lower case letter
            |
            |->match further only if there are two digits any

where

Demo Link

PrinceT
  • 459
  • 4
  • 19
0

As others have mentioned, it is not good practise to store password as plain text. If that is what you are asked to do, 

if(StringA == StringB)

is itself case sensitive in C#.

SomeUser
  • 390
  • 8
  • 23